From Malware Atoms to Cybersecurity Chemistry

Keeping pace with the increasing sophistication of cyber attacks can often seem like a Sisyphean task. Attackers have a constantly evolving arsenal of malware and tools at their disposal, a broad attack surface to target and often only need to succeed in infecting a single victim in order to compromise an entire network. While attackers may appear to have the advantage, the problem is not intractable.

There are fundamental skills and strategies at our disposal that can help level the playing field and in some cases even use the attacker’s advantages against him. In fact as we begin to expand the scope and context of our cybersecurity intelligence, it is possible to use the complexity of an attack to our advantage.

The traditional approach to security has been to focus on individual malicious agents such as a piece of malware or a vulnerability exploit. IPS products scan for known patterns of exploit code, and antivirus products look for markers or hash files of known malware samples. This is logical – if we can find the source of an infection, then we can stop the downstream consequences.

However, as cyber attackers have evolved, they have become more patient, long-term and strategically focused on the key assets deep within a network. Instead of a smash-and-grab robbery performed at the time of infection, attackers have adopted a slow-and-steady approach to take full advantage of the access they gain after a successful infection.

Moving Our Understanding From Atoms to Chemistry

Even in the face of this challenge, the network security industry has largely remained focused on developing better, faster detections of malware. Malware sandboxes have improved malware detection rates, but even these technologies are not a panacea as attackers have become increasingly skilled at evading the sandbox environment. Similarly, tracking malicious IP addresses and URLs have provided additional indicators of malware. But again, attackers can easily acquire clean IP addresses and URLs to hide from this style of detection.

More importantly, these approaches continue to equate the malware infection with the attack itself, when in reality the infection is piece of a much broader and more complex operation. In a sense, the industry has become overly focused on identifying malicious “atoms” when we really need to understand the malicious “chemistry” of how all the pieces of an attack interact with one another in a system. This level of understanding typically requires broadening the scope of security analysis both in terms of location and time.

Applying a Data Science Approach

If you are going to see the full scope of an attack, then you need to analyze as much traffic as possible, and this includes internal traffic as well as the traditionally monitored traffic going to and from the Internet. Likewise, if you hope to see a complex attack then you need to analyze, remember, and retain context of the events around it over a long period of time. If your memory ends with the analysis of an atomic event from an individual network session, then it is going to be virtually impossible to identify the chemistry of an attack that progresses over days, weeks or months.

This is where behavioral analysis of the internal network can provide the missing component to existing security technologies. Instead of looking for the symptoms of atomic malware, we can look for the actual malicious actions of the cyber attack inside the network.

Once inside the network, an attacker will need to find some way to spread deeper within the network. This requires performing additional reconnaissance, spreading more malware, and escalating his privilege by stealing and using credentials. Ultimately, the attacker needs to accumulate and steal key data.

Just like the initial malware infection, these steps are fundamental to the success of the attack. And while a piece of malware can always play dead in a sandbox, attackers fundamentally must perform malicious actions in the network in order to be successful.

No More Gaming the Test

In addition to seeing more of the lifecycle of an attack, behavioral analysis lets us focus on what is actually happening in the network as opposed to the simple on/off of a signature. Signature-based solutions are inherently binary - either the sample is malicious or benign. While this is highly beneficial for making blocking decisions, this same trait can easily be used to the advantage of a dedicated attacker.

As long as he can ensure his exploit, malware, or IP address doesn’t trigger as being malicious, then it is assumed to be benign and the attack becomes virtually invisible. Hiding within encrypted traffic, repackaging or customizing malware, and utilizing trusted IP addresses are easy and common methods to evade signature-based detections.

However, by focusing on the actual malicious behavior within our networks, we remove the ability for attackers to game the test. While an attacker can always hide one of his tools, he fundamentally has to spy, spread and steal within a network in order to be successful. And just as importantly, these behaviors are recognizable regardless of the tool being used.

For example, while there are countless types of port scanning tools, that run on countless types of devices, and support a myriad of scan types, on aggregate they all need to perform the same fundamental behavior in order to do their job. The same is true for remote access tools or RATs, which attackers use to remotely control the more delicate stages of their attacks. By focusing on what the tools do, we can avoid the old pitfalls that have traditionally plagued signatures.

It is important to note that behavioral analysis and data science provide a complement to and not a replacement for traditional detection technologies.

Over-rotating in either direction can easily lead to problems, as each approach will naturally have its strengths and weaknesses. However, as attackers have evolved it is increasingly clear that our security must evolve as well. By building security controls that identify and correlate the malicious behaviors of an attack, we can begin to the tip the scales back in our favor.

Wade Williamson is Director of Product Marketing at Vectra Networks. Prior to joining Vectra, he was a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.